[Bro] AddressScan numbers and actual log number mismatch?
fatema bannatwala
fatema.bannatwala at gmail.com
Wed Jun 14 04:59:31 PDT 2017
Thanks Justin!
When I looked for all ports, excluding "SF" connections from conn log, I
did get more than 30 IPs (31 in total).
I think that would be it, causing Bro to mark that IP as Scanning
addresses, if I am doing filtering correctly.
$ nice zgrep --no-filename 71.162.229.81 conn.0[8-9]* | egrep -v "SF" | awk
-F'\t' '{if ($1 < 1497360944) print $5, $6}' | sort | uniq -c
On Tue, Jun 13, 2017 at 6:32 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
> >
> > On Jun 13, 2017, at 6:21 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Thanks Justin, quick search through the data for past 23 days still
> showed up only 5 IPs, all belonging to today's logs.
> > Hence, was thinking, that the port/service in the Notice is one of the
> several services Bro notices an address scan on, and only reports the last
> one?
> > or the address scan was actually performed on that service only.
> >
> > Looking at the script, I think the service port (4282 for ex.) is the
> port for which Address Scans get reported, but just wanted to verify,
> > as I still not able to see more than 5 IPs hit on that port by
> 71.162.229.81.
>
> Ah yes, I see now that you were filtering for the port. The policy counts
> scans across all ports. You'd need to look for failed connections on any
> port. You still may have to go back days to find the entire scan though.
>
>
> --
> - Justin Azoff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170614/8a84e8d9/attachment.html
More information about the Bro
mailing list